14 Aug 2015

Cryptowall

Cryptowall 3.0 attacking Australian businesses: Alert Priority High

A new variant of the ransomware known as Cryptowall is believed to be attacking Australian businesses. Attacks using Cryptowall 3.0 encrypt your files, and the malicious individuals behind the malware demand payment for the key that enables you to decrypt the files. These payments can range from a few hundred dollars to more than $10,000.

Businesses are advised to protect their existing computer systems and ensure that critical data is backed up to limit the damage caused by an attack.

Cryptowall 3.0 uses an exploit kit capable of attacking vulnerabilities in Adobe Reader, Adobe Flash, Internet Explorer, Java, and Silverlight. Most computers run at least one of these programs.

Once attacked, the victim’s computer is redirected to the ransomware download page on Google Drive, where the malware is automatically installed on the user’s computer (the malicious file is contained in a zip file called resume.zip and is named my_resume_pdf_id-###.scr). The ransomware then searches for various files on your computer, in particular Microsoft Word documents.

The ransomware then encrypts these documents, deletes the originals, and alerts the victim that they need to pay a ransom to get their files back.

While there have been reports that files are recovered if the ransom is paid, this does not protect your computer against further attacks. The attacker may simply encrypt your files again. For this reason, responding to extortion is not encouraged.

Staying Safe

In order to protect yourself and your business from a ransomware attack, you need to ensure that you do not browse suspicious sites, install untrusted programs from the internet, or open email or social media attachments from unknown or untrusted sources.

Ransomware can be installed by exploiting vulnerabilities in older versions of software. You can protect yourself by ensuring that updates for all of your programs are installed automatically as soon as they are available. In addition, ensure that you have an up-to-date antivirus solution running.

If you are attacked by the ransomware, seek immediate technical advice. Remove the ransomware from all infected computers and recover the files from backup.